Setting Up a Kerberos Relay for the Microsoft Exchange 2013 Server DEPLOYMENT GUIDE

Similar documents
AAM Kerberos Relay Integration with SharePoint

SSL Insight Certificate Installation Guide

DEPLOYMENT GUIDE. SAML 2.0 Single Sign-on (SSO) Deployment Guide with Ping Identity

VMware View 5.0 and Horizon View 6.0 DEPLOYMENT GUIDE

SAML 2.0 SSO Deployment with Okta

Achieve Single Sign-on (SSO) for Microsoft ADFS

SharePoint SAML-based Claims Authentication with A10 Thunder ADC

Thunder ADC for Epic Systems

A10 Networks LBaaS Driver for Thunder and AX Series Appliances

Outlook Web Access (OWA) WS-Federation SSO with A10 Thunder Series

Thunder Series for SAP BusinessObjects (BOE)

PCI DSS and the A10 Solution

A10 Device Package for Cisco Application Centric Infrastructure (ACI)

Microsoft Exchange 2016 DEPLOYMENT GUIDE

Thunder Series for SAP Customer Relationship Management (CRM)

SSL Insight and Cisco FirePOWER Deployment Guide DEPLOYMENT GUIDE

APPLICATION ACCESS MANAGEMENT (AAM) Augment, Offload and Consolidate Access Control

Load Balancing Security Gateways WHITE PAPER

Thunder ADC for SAP Business Suite DEPLOYMENT GUIDE

Microsoft Exchange 2013 DEPLOYMENT GUIDE

Healthcare Security and HIPAA Compliance with A10

A10 Thunder and AX Series

Deployment Guide. AX Series with Microsoft Office SharePoint Server

INSTALLATION GUIDE. A10 Thunder TM Series vthunder for AWS

A10 ADC Return On Investment

Deployment Guide Microsoft IIS 7.0

Deployment Guide. AX Series with Microsoft Exchange Server

Deployment Guide. AX Series with Microsoft Office Communications Server

Deployment Guide AX Series with Citrix XenApp 6.5

Deployment Guide AX Series with Microsoft Windows Server 2008 Terminal Services

Deployment Guide Oracle Siebel CRM

Deployment Guide. AX Series with Oracle Application Server

Deployment Guide Microsoft Exchange 2013

Deployment Guide MobileIron Sentry

Configuring and Implementing A10

Advanced Core Operating System (ACOS): Experience the Performance

Deployment Guide AX Series with Active Directory Federation Services 2.0 and Office 365

Avoid Microsoft Lync Deployment Pitfalls with A10 Thunder ADC

Uncover Threats in SSL Traffic: The Ultimate Guide to SSL Inspection WHITE PAPER

Dynamic L4-L7 Service Insertion with Cisco ACI and A10 Thunder ADC REFERENCE ARCHITECTURE

Deployment Guide. AX Series with Juniper Networks SA Series SSL-VPN Appliances Solution

A10 Thunder TPS Hybrid DDoS Protection Deployment with Verisign OpenHybrid

VALIDATING DDoS THREAT PROTECTION

Deployment Guide AX Series for Palo Alto Networks SSL Intercept and Firewall Load Balancing

Technical Brief ActiveSync Configuration for WatchGuard SSL 100

AX Series with Microsoft Exchange Server 2010

AX Series with Microsoft Exchange Server 2010

Security Overview and Cisco ACE Replacement

White Paper A10 Thunder and AX Series Application Delivery Controllers and the A10 Advantage

How-to: Single Sign-On

White Paper A10 Thunder and AX Series Load Balancing Security Gateways

Thunder ADC: 10 Reasons to Select A10 WHITE PAPER

Thunder ADC for SSL Insight and Load Balancing DEPLOYMENT GUIDE

Deploying the BIG-IP System for Microsoft Application Virtualization

Symantec Mobile Management 7.2 MR1Quick-start Guide

Protecting Juniper SA using Certificate-Based Authentication. Quick Start Guide

SafeNet Authentication Service

Deployment Guide July-2014 rev. a. Deploying Array Networks APV Series Application Delivery Controllers with Oracle WebLogic 12c

Deployment Guide AX Series for Palo Alto Networks Firewall Load Balancing

How to Secure a Groove Manager Web Site

TIBCO Spotfire Web Player 6.0. Installation and Configuration Manual

Protected Trust Setup Guide for Brother MFC Devices

Contents Notice to Users

USER GUIDE WWPass Security for (Outlook) For WWPass Security Pack 2.4

Basic Exchange Setup Guide

Dell One Identity Cloud Access Manager How to Configure Microsoft Office 365

HOW TO CONFIGURE SQL SERVER REPORTING SERVICES IN ORDER TO DEPLOY REPORTING SERVICES REPORTS FOR DYNAMICS GP

Configuring IBM Cognos Controller 8 to use Single Sign- On

Deployment Guide May-2015 rev. a. APV Oracle PeopleSoft Enterprise 9 Deployment Guide

How To Set Up A Load Balancer With Windows 2010 Outlook 2010 On A Server With A Webmux On A Windows Vista V (Windows V2) On A Network With A Server (Windows) On

Kerberos Constrained Delegation. Kerberos Constrained Delegation. Feature Description

Use Enterprise SSO as the Credential Server for Protected Sites

ISA Server Plugins Setup Guide

NSi Mobile Installation Guide. Version 6.2

CaliberRM / LDAP Integration. CaliberRM

HELP DOCUMENTATION SSRPM WEB INTERFACE GUIDE

Deploying F5 to Replace Microsoft TMG or ISA Server

Strong Authentication for Microsoft SharePoint

F-Secure Messaging Security Gateway. Deployment Guide

Laserfiche Web Access 8 and Kerberos Configuration in a Windows Server 2008 and IIS 7 Environment. White Paper

RoomWizard Synchronization Software Manual Installation Instructions

Basic Exchange Setup Guide

How To Install A Citrix Netscaler On A Pc Or Mac Or Ipad (For A Web Browser) With A Certificate Certificate (For An Ipad) On A Netscaler (For Windows) With An Ipro (For

Symantec Integrated Enforcer for Microsoft DHCP Servers Getting Started Guide

Web Remote Access. User Guide

Application Note. ShoreTel 9: Active Directory Integration. Integration checklist. AN June 2009

TIBCO Spotfire Platform IT Brief

Avatier Identity Management Suite

Cisco Collaboration with Microsoft Interoperability

Setting Up SSL on IIS6 for MEGA Advisor

Configuring the Avaya B179 SIP Conference Phone with Avaya Aura Communication Manager and Avaya Aura Session Manager Issue 1.0

Sample Configuration: Cisco UCS, LDAP and Active Directory

Hosted Microsoft Exchange Client Setup & Guide Book

Security Provider Integration Kerberos Authentication

Use FortiWeb to Publish Applications

IBM Proventia Management SiteProtector. Configuring Firewalls for SiteProtector Traffic Version 2.0, Service Pack 8.1

Password Reset PRO. Quick Setup Guide for Single Server or Two-Tier Installation

SSL Insight Deployment for Thunder ADC DEPLOYMENT GUIDE

Integration Package for Microsoft Office SharePoint3

Configuring Multiple ACE Management Servers VMware ACE 2.0

Transcription:

Setting Up a Kerberos Relay for the Microsoft Exchange 2013 Server DEPLOYMENT GUIDE

Disclaimer This document does not create any express or implied warranty about A10 Networks or about its products or services, including but not limited to fitness for a particular use and noninfringement. A10 Networks has made reasonable efforts to verify that the information contained herein is accurate, but A10 Networks assumes no responsibility for its use. All information is provided as-is. The product specifications and features described in this publication are based on the latest information available; however, specifications are subject to change without notice, and certain features may not be available upon initial product release. Contact A10 Networks for current information regarding its products or services. A10 Networks products and services are subject to A10 Networks standard terms and conditions. 2

To set up a Kerberos relay for the Microsoft Exchange 2013 server: 1. Create an account for A10 Networks Thunder Series and set an SPN for this account. In the example in Figure 1, the account name is kcdpt and service principal name (SPN) is ax/cdpt. Figure 1: Account name 2. Ensure that the user logon name of the account is same as the SPN. Figure 2: Account details tab 3. On the Thunder Series, configure the SPN of kcdpt by entering the following commands: In the following example, ax/cdpt under Kerberos-account setting in the Kerberos-relay. The password field is the password of the kcdpt account, and the Kerberos-realm is the Active Directory (AD) domain name in capital letters: aam authentication relay kerberos krb-relay kerberos-realm A10LAB.COM kerberos-kdc 192.168.221.50 kerberos-account ax/cdpt password encrypted u40dcaprh0td6hspiq1phjwqjljv2wdnpbcmunxbaoc8eiy41dsa5zwqjljv2wdn 3

4. On the Exchange server and log in in to the Exchange administrator center. 5. Click Servers > Virtual Directories. 6. Edit the OWA virtual directory. 7. Go to the Authentication tab and select Use one or more standard authentication methods. 8. Select the Integrated Windows authentication checkbox. Figure 3: Editing the OWA virtual directory The same settings also apply to the ECP virtual directory. 9. On the PowerShell, enter the following commands to restart the IIS server on the Exchange server. The restart of the IIS services is required on all exchange servers after making any authentication settings on the Exchange server. iisreset/noforce 10. In the Authentication tab, review the settings on the OWA virtual directory. 4

Figure 4: Reviewing the OWA settings If the settings are not the same, you can manually alter the settings on this page and enter the iisreset command again. Make sure that anonymous authentication is also enabled for the ECP virtual-directory. 11. Add an SPN in the format service/fqdn for the Exchange server s computer account. In the example in Figure 5, the Exchange server s computer account is winsrv2012. Figure 5: Computer account for the Exchange server The configured SPN goes under the service-principal-name section of the SLB server: slb server exchange 192.168.230.84 port 443 tcp service-principal-name HTTPS/mail.a10lab.com You must ensure that the highlighted SPN s exist under this account: 5

Figure 5: SPNs in the account In the example in Figure 5, winsrv2012.a10lab.com is the internal URL for the exchange server. If SPNs are not present, see http://blogs.technet.com/b/kpapadak/archive/2011/03/13/setting-up-kerberos-with-a-clientaccess-server-array.aspx for more information about creating a service account and associating the account to an Exchange server. 12. Delegate control to the Thunder Series account, kcdpt, to handle the tickets for the Exchange server by adding the Exchange server s SPN to the Thunder Series account. Figure 6: Delegating control to the Thunder Series account 6

The sample configuration also includes setting for Microsoft SharePoint: TH4430#sh run Current configuration: 900 bytes Configuration last updated at 21:40:42 PST Mon Nov 10 2014 Configuration last saved at 21:40:42 PST Mon Nov 10 2014 64-bit Advanced Core OS (ACOS) version 4.0.0, build 489 (Nov-07-2014,09:03) partition p1 id 1 timezone America/Los_Angeles interface management ip address 192.168.230.45 255.255.255.0 ip default-gateway 192.168.230.254 interface ethernet 1 interface ethernet 2 interface ethernet 3 enable ip address 192.168.231.21 255.255.255.0 interface ethernet 4 interface ethernet 5 interface ethernet 6 interface ethernet 7 interface ethernet 8 enable ip address 10.50.50.1 255.255.255.0 interface ethernet 9 interface ethernet 10 interface ethernet 11 interface ethernet 12 ip route 0.0.0.0 /0 192.168.231.254 aam authentication server ldap dummy aam authentication server ocsp ocsp_serv 7

url http://192.168.230.101:80/ocsp slb template server-ssl s1 slb server exchange 192.168.230.84 port 80 tcp service-principal-name HTTP/mail.a10lab.com port 443 tcp service-principal-name HTTPS/mail.a10lab.com slb server sptest1 192.168.221.100 port 80 tcp service-principal-name HTTP/sptest1.a10lab.com port 443 tcp service-principal-name HTTPS/sptest1ssl.a10lab.com port 8888 tcp service-principal-name HTTP/sptest1.a10lab.com aam authentication relay kerberos krb-relay kerberos-realm A10LAB.COM kerberos-kdc 192.168.221.50 kerberos-account ax/cdpt password encrypted u40dcaprh0td6hspiq1phjwqjljv2wdnpbcmunxbaoc8eiy41dsa5zwqjljv2wdn aam authentication template kltest relay krb-relay server dummy aam aaa-policy my-aaa-policy aaa-rule 1 action allow authentication-template kltest slb service-group exch-443 tcp member exchange 443 slb service-group exch-80 tcp member exchange 80 slb service-group mywsu-sg-443 tcp member sptest1 443 slb service-group mywsu-sg-80 tcp member sptest1 80 slb service-group mywsu-sg-8888 tcp member sptest1 8888 8

slb template client-ssl cssl auth-username subject-alt-name-othername ca-cert AD03-CA cert 230.45-cert client-certificate Require key 230.45-cert slb template client-ssl exch-ssl cert 230.45-cert key 230.45-cert slb virtual-server exchange-vs 192.168.231.22 port 80 http source-nat auto service-group exch-80 port 443 https source-nat auto service-group exch-443 template server-ssl s1 template client-ssl cssl aaa-policy my-aaa-policy slb virtual-server sharepoint-vs 192.168.231.234 port 80 https source-nat auto service-group mywsu-sg-80 template client-ssl cssl aaa-policy my-aaa-policy port 443 https source-nat auto service-group mywsu-sg-443 template server-ssl s1 template client-ssl cssl aaa-policy my-aaa-policy port 8888 https source-nat auto service-group mywsu-sg-8888 template client-ssl cssl aaa-policy my-aaa-policy multi-config enable terminal idle-timeout 0 end Current config commit point for partition 0 is 0 & config mode is classicalmode Tickets obtained: 9

TH4430#sh aam authentication klist ----------------------- Ticket cache: MEMORY:krb-relay Default principal: ax/cdpt@a10lab.com Service principal: HTTPS/mail.a10lab.com@A10LAB.COM Client principal: dcadmin@a10lab.com timespan: 11:30 11,Nov,2014-21:30 11,Nov,2014 renew untill: 11:30 18,Nov,2014 flags: FRA Service principal: ax/cdpt@a10lab.com Client principal: dcadmin@a10lab.com timespan: 11:30 11,Nov,2014-21:30 11,Nov,2014 renew untill: 11:30 18,Nov,2014 flags: FRA Service principal: krbtgt/a10lab.com@a10lab.com Client principal: ax/cdpt@a10lab.com timespan: 11:31 11,Nov,2014-21:30 11,Nov,2014 renew untill: 11:31 18,Nov,2014 flags: FRIA TH4430# About A10 Networks A10 Networks is a leader in application networking, providing a range of high-performance application networking solutions that help organizations ensure that their data center applications and networks remain highly available, accelerated and secure. Founded in 2004, A10 Networks is based in San Jose, California, and serves customers globally with offices worldwide. For more information, visit: www.a10networks.com Corporate Headquarters A10 Networks, Inc 3 West Plumeria Ave. San Jose, CA 95134 USA Tel: +1 408 325-8668 Fax: +1 408 325-8666 www.a10networks.com Part Number: A10-DG-16145-EN-02 June 2015 Worldwide Offices North America sales@a10networks.com Europe emea_sales@a10networks.com South America latam_sales@a10networks.com Japan jinfo@a10networks.com China china_sales@a10networks.com Taiwan taiwan@a10networks.com Korea korea@a10networks.com Hong Kong HongKong@a10networks.com South Asia SouthAsia@a10networks.com Australia/New Zealand anz_sales@a10networks.com To learn more about the A10 Thunder Application Service Gateways and how it can enhance your business, contact A10 Networks at: www.a10networks.com/contact or call to talk to an A10 sales representative. 2015 A10 Networks, Inc. All rights reserved. The A10 logo, A10 Harmony, A10 Lightning, A10 Networks, A10 Thunder, acloud, ACOS, ACOS Policy Engine, Affinity, aflex, aflow, agalaxy, avcs, AX, axapi, IDaccess, IDsentrie, IP-to-ID, SSL Insight, Thunder, Thunder TPS, UASG, and vthunder are trademarks or registered trademarks of A10 Networks, Inc. All other trademarks are property of their respective owners. A10 Networks assumes no responsibility for any inaccuracies in this document. A10 Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information